Need to Disable TLS 1.0 & 1.1 for port TCP-3978

Reply
Highlighted
L1 Bithead

Need to Disable TLS 1.0 & 1.1 for port TCP-3978

Can someone suggest on how can we disable TLS 1.0 & 1.1 for port TCP-3978

 

Description: The remote service accepts connections encrypted using TLS 1.0. TLS 1.0 has a number of cryptographic design flaws. Modern impleme
ntations of TLS 1.0 mitigate these problems, but newer versions of TLS like 1.2 and 1.3 are designed against these flaws and should be used wheneve
r possible.
As of March 31, 2020, Endpoints that aren’t enabled for TLS 1.2 and higher will no longer function properly with major web browsers and major
vendors.
PCI DSS v3.2 requires that TLS 1.0 be disabled entirely by June 30, 2018, except for POS POI terminals (and the SSL/TLS termination points to which
they connect) that can be verified as not being susceptible to any known exploits.

 

Thanks.

VK

Accepted Solutions
Highlighted
L1 Bithead

Solution:-

 

Login to Panorama

Go to >Panorama>Certificate Management>Certificate>Generate> (you can use existing root cert or  create new Cert)

Go to >Panorama>Certificate Management>SSL/TLS Service Profile >Add (call your newly created cert ) create 2 cert for Primary and secondary

Go to >Panorama>Setup>Secure Communication Settings >Customize Communication>Select HA Communication 

Note:- in Palo Alto 8.X.X we can disable only TLSv1.0 we can not disable TLSv1.1 for on port-3978 TAC has confirmed to US 

Verify:-

Go to >Panorama>managed devices>summary see device state must be connected and Certificate untrusted issuer

 Go to>Panorama>managed collectors>status in sync

 

VK

View solution in original post


All Replies
Highlighted
L7 Applicator

If you have access to the server certificate + key you can set up inbound ssl decryption and enforce 1.2 or higher through the decryption profile

 

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
Highlighted
Cyber Elite

Hi @viveksk.gupta 

As far as I know there is no configuration option to disable tls1.0/1.1 on this panorama management port. At least I hope that the firewalls will use tls1.2 for this connection, so if there is a firewall between the firewalls and panorama you could block tls1.0/1.1 connection attempts with a custom vulnerability signature.

Highlighted
L1 Bithead

Hi ,

 

Thanks for your reply...

 

We have created a profile and disabled TLSv1.0 and TLSv1.1 and enabled TLSv1.2, and I have done a packet capture and I can see communication using TLSv1.2 (TAC also Confirmed TLSv1.0 disabled) but the security team able to scan TLSv1.0 and TLSv1.1 in the scan report. Thanks 

VK
L1 Bithead

Hi Reaper,

 

Port TCP-3978 using for Panorama and Palo alto communication and SSL Profile have enabled TLSv1.2. Thanks 

VK
Highlighted
L0 Member

Hey Viveksk.Gupta,

 

can you give me a quick hint how you set up the profile? We have the same problem and im pretty new to Palo Alto stuff, so a quick hint would be appreciated.

 

BR 

Highlighted
L1 Bithead

Hi Thartm,

 

Login to Panorama

Go to >Panorama>Certificate Management>Certificate>Generate> (you can use existing root cert or  create new Cert)

Go to >Panorama>Certificate Management>SSL/TLS Service Profile >Add (call your newly created cert ) create 2 cert for Primary and secondary

Go to >Panorama>Setup>Secure Communication server call your certificate and profile both (check mark allow custom certificate only)

 

Verify:-

Go to >Panorama>managed devices>summary see device state must be connected and Certificate untrusted issuer

 Go to>Panorama>managed collectors>status in sync

 

Please follow the document below for more information on each settings.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/panorama-web-interface/panora...

VK
Highlighted
L0 Member

Thanks for the quick reply Viveksk.Gulpa  

 

Ill look into it

Highlighted
L1 Bithead

Solution:-

 

Login to Panorama

Go to >Panorama>Certificate Management>Certificate>Generate> (you can use existing root cert or  create new Cert)

Go to >Panorama>Certificate Management>SSL/TLS Service Profile >Add (call your newly created cert ) create 2 cert for Primary and secondary

Go to >Panorama>Setup>Secure Communication Settings >Customize Communication>Select HA Communication 

Note:- in Palo Alto 8.X.X we can disable only TLSv1.0 we can not disable TLSv1.1 for on port-3978 TAC has confirmed to US 

Verify:-

Go to >Panorama>managed devices>summary see device state must be connected and Certificate untrusted issuer

 Go to>Panorama>managed collectors>status in sync

 

VK

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!